Fluid Attacks Database

FISMA

Last updated: 2024/01/12

The Federal Information Security Management Act (FISMA) was originally passed in 2002 as part of the Electronic Government Act. FISMA defines a framework of guidelines and security standards to protect government information and operations. FISMA requires all federal agencies to develop, document and implement agency-wide information security programs. NIST SP 800-53 serves as the primary resource that federal agencies use to implement the security controls required by FISMA. The IDs for these controls correspond to those of the NIST 800-53 standard. The version used for this section is NIST 800-53, Rev. 5, September 2020.

Control-Requirement Mapping

Definition	Requirements
AC-2_2. Removal of temporary or emergency accounts	023. Terminate inactive user sessions 027. Allow session lockout
AC-2_3. Disable accounts	144. Remove inactive accounts periodically
AC-2_4. Automated audit actions	301. Notify configuration changes
AC-2_6. Dynamic privilege management	095. Define users with privileges 096. Set user's required privileges
AC-2_7a. Establish and administer privileged user accounts	095. Define users with privileges 096. Set user's required privileges
AC-2_7b. Monitor privileged role or attribute assignments	095. Define users with privileges 096. Set user's required privileges
AC-2_7c. Monitor changes to roles or attributes	095. Define users with privileges 096. Set user's required privileges
AC-2_10. Shared and group account credential change	144. Remove inactive accounts periodically
AC-2_13. Disable accounts for high-risk individuals	144. Remove inactive accounts periodically 027. Allow session lockout
AC-6. Least privilege	186. Use the principle of least privilege
AC-12. Session termination	369. Set a maximum lifetime in sessions 023. Terminate inactive user sessions
AC-18_5. Antennas and transmission power levels	249. Locate access points
IA-1. Policy and procedures	229. Request access credentials
IA-2. Identification and authentication (organizational users)	121. Guarantee uniqueness of emails 229. Request access credentials 257. Access based on user credentials 265. Restrict access to critical processes
IA-7. Cryptographic module authentication	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
PL-4_1. Social media and external site/applications usage restrictions	260. Use alternative emails
SC-3. Security function isolation	235. Define credential interface

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.